Supported signature formats through the signature key parameter:
Supported digest algorithms through the Subjects parameter:
To trace software back to the source and define the moving parts in a complex supply chain, provenance needs to be there from the very beginning. It’s the verifiable information about software artifacts describing where, when, and how something was produced. For higher SLSA levels and more resilient integrity guarantees, provenance requirements are stricter and need a deeper, more technical understanding of the predicate.
The in-toto Attestation Framework provides a specification for generating verifiable claims about any aspect of how a piece of software is produced. Consumers or users of the software can then validate the origins of the software and establish trust in its supply chain using in-toto attestations.
The Envelope is the outermost layer of the attestation, handling authentication, and serialization.